Jesse Keating wrote:
On Wednesday 05 April 2006 15:26, Josh Bressers wrote:
I'm hoping we can revive this thread. There seems to be marginal interest
in a FE security team. I imagine after LWE and FUDCon, there will be a
renewed interest, so this may be a fine time to move forward.
Since the SIG already exists, I'll let them speak up. If there is no
longer a SIG, that's fine too. Is anybody working on any of these things?
I am very interested in this as well. If nobody steps up, I'll do what it
takes, but largely we need to come up with a security process, and I think we
need guidance from Red Hat's security team.
Is there a SIG?
There used to be, it consisted of me, Jason L Tibbitts III and Dennis
Gilmore. Both me and Jason are currently (also) active in the Games SIG
I must say I like the Games SIG much better as there is a lot more
getting done there. In the Security Sig it was just all talk, and I'm
not a talker but a do-er. I also very much agree that what we need most
is some kinda security process we need:
-a wiki/Extras/Security page that tells users what todo and expect when
they find a security problem. My suggestion:
-user should search in bugzilla (by CVE in summary if there is a CVE)
Maybe we can create a special form for by CVE searching?
-if its not in bugzilla user should submit it there.
-this lists gets auto-cc-ed
-the maintainer handles it, asking for help (on this list) as needed
To make this work / get some real tracking:
-if a maintainer finds a bug or pushes a new version with a bug fixed
he/she should put this bug in bugzilla and close it immediatly.
-a place and an easy way to send FE security announcements last time
I brought this up I landed in some xml mumbo jumbo jungle, what wrong
with a plain email, with a simple plain text template as base for
someone wishing todo an announcement to fill in.
Unfortunatly although many maintainers do a great job even on security
some don't thus we need:
-some kinda rules (FESco action!) when someone can step on a maintainers
toes by pushing a fix to CVS and building it because the maintainer is
not responding to a security bugzilla entry in a timely fashion. I know
that currently anyone can do this if they feel like it, but I for one
would like to have a FESco declared policy for this where I can point a
maintainer at when he gets pissed (iow I want to be able to hind behind
FESco, yes!)
What am I willing todo to help? :
-lurk on this list
-check the new security bugs page of lwn against FE
(I have being doing this for the last few weeks)
-help people with security problems in C(++) code
-audit C(++) code on request (see my scorched3d work f.e.)
-audit / check C(++) security patches
What am I not willing todo to help?
-get involved in policy making / procedure forming
-other unneeded bureaucracy (the above is needed!)
-talk talk talk, just point me to a broken piece of code please.
So in the light of what I like and what I don't like consider this one
of my last posts in this thread, but don't mistake this with me being
unwilling to help or being uninterested!
Regards,
Hans
p.s.
I still don't like the default reply-to setting of this list, but lets
not go there.
